News & Insights

Security reviews and penetration testing: why you may need to take a more proactive approach to cyber security

In its latest 2016 report, the Australian Cyber Security Centre reported over 14,000 cyber security incidents, including 1,095 incidents on government systems which were considered serious enough to warrant operational responses.

Protecting your business effectively starts with proactive security reviews that include penetration testing. An effective security review could have picked up the vulnerabilities that were used in these incidents, and many of them could have been prevented relatively easily. This would have saved the affected companies significantly in terms of both money and the time it takes to recover from an attack.

It’s important to understand how security reviews can protect your business from falling victim to cyber threats.

What’s involved in a security review?

A security review is verification that industry or internal security standards have been applied to system components or products. The review process usually includes a gap analysis using questionnaires or interviews, configuration review, and a review of design documents and architecture diagrams. The review should cover both application and infrastructure solutions.

You can use the results to make a business case for increased investment in security. You can also use it to direct your resources to where they’ll be most effective, whether that’s an employee awareness and education campaign, security policies, response times, or other areas.

One valuable tool you can use as part of your security review is penetration testing. It’s one of the best, most practical, and most effective ways to check the strength of your security measures. By simulating an attack, you can see where the weaknesses are in your system. These are the potential entry points for attackers, which include both network vulnerabilities and human error.

What if we already have strong security measures in place?

Most organisations’ systems change and evolve over time, including implementing new systems or upgrading existing ones. This can introduce new vulnerabilities into the network. Unfortunately, too many businesses put security measures in place and never think about them again, so new vulnerabilities can go unnoticed. This is especially the case for smaller organisations that believe they’ll never be the target of an attack. They don’t invest enough time or resources in protecting themselves and put themselves at risk without even realising it. If this sounds like your organisation, it’s time to make a change.

You must conduct security reviews as a matter of routine, regardless of the size of your business or your perception of the cyber threats that may apply to you. The threat landscape continues to evolve and cybercriminals are becoming smarter and more sophisticated all the time. What works for your business today won’t necessarily work in a few months’ time when criminals have figured out new ways to attack.

When should I do a security review?

Security reviews can be performed proactively or reactively. These are some common triggers to consider.

Proactive:

when a new application and/or infrastructure is under development (i.e. new projects)

when existing applications or infrastructure are undergoing significant change

as part of a scheduled review calendar.

Reactive

when a security incident has occurred, raising concerns of broader security gaps

as part of an IT audit.

What solutions or systems should be reviewed?

A security review is recommended for the following systems:

A proposed new or existing solution, that will hold or impact customer data, employee data, financial data or business operations information. This applies to both in-house solutions and vendor-provided products.

A customer-facing solution which has the potential to affect brand or reputation if a security incident occurs, regardless of the severity of the incident.

An application or infrastructure which will be hosted or managed by a third party.

Is it enough to do penetration testing?

Not necessarily. While penetration testing is invaluable, it cannot detect everything. For example, if something is prohibited by policy but not by technology, then penetration testing won’t detect it. Also, zero-day vulnerabilities are generally not detectable through penetration testing. So, it’s crucial for you to have multiple processes and technologies in place to protect against threats across a broad surface area.

How does penetration testing work?

Pen testing involves staging a realistic yet simulated attack on the network and systems. It can include physically testing the ability to gain access to control rooms, data centres, secure branch locations etc.

For new applications or infrastructure under development, a pen test should ideally be performed in a staging environment prior to deployment to production. For deployed solutions, the pen test should be performed in the production environment.

Why do penetration testing?

Organisations will generally perform penetration testing for one of the following reasons:

understand the ability of an attacker to gain access to confidential information, affect data integrity or availability of a service and the respective impact

replicate how a previous attack occurred, where the cause is ambiguous

identify weaknesses that may be difficult or impossible to detect with automated network or application vulnerability scanning software

as part of a test of the organisation’s ability to identify and respond to security incidents.

The key for all organisations, regardless of size, is to take a proactive approach to security testing and reviews to make sure your organisation is protected. Staff education is also key and shouldn’t be overlooked, as many breaches occur as a consequence of an employee’s lack of security knowledge or negligence.